Skip to content
This repository has been archived by the owner on Dec 5, 2019. It is now read-only.

ssri upgrade - security advisory #246

Closed
FrailWords opened this issue Feb 28, 2018 · 4 comments · Fixed by #253
Closed

ssri upgrade - security advisory #246

FrailWords opened this issue Feb 28, 2018 · 4 comments · Fixed by #253

Comments

@FrailWords
Copy link

There's a security advisory to upgrade ssri to >= 5.2.2 (right now it is at 5.0.0).

https://nodesecurity.io/advisories/565

ssri_vulnerability
@alexander-akait
Copy link
Member

@FrailWords please recreate this issue in cacache package. it is dependecy

@FrailWords
Copy link
Author

@evilebottnawi Looks like there's already an issue there. Apologies for not looking it up first.

zkat/cacache#124

@zkat
Copy link
Contributor

zkat commented Feb 28, 2018

For those dropping in, I wanna note: cacache and anything that uses it is not vulnerable to the issue in this advisory, because it does not use strict mode (which is where the regex happens). Likewise, it's unlikely that anyone using ssri for dealing with npm-compatible SRIs will run into this, because npm itself needs non-strict parsing.

rafaesc added a commit to rafaesc/uglifyjs-webpack-plugin that referenced this issue Mar 8, 2018
@rafaesc
Updated cacache@10.0.4
78cca2d 
On the 10.0.4 version of cacache, ssri was upgraded, where was resolved the vulnerability

webpack-contrib#246
@rafaesc rafaesc mentioned this issue Mar 8, 2018
Merged
@michael-ciniawsky
Copy link
Member

Released in v1.2.3 🎉

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(package): updatecacache v10.0.1...10.0.4 (dependencies) rafaesc/uglifyjs-webpack-plugin
4 participants
@zkat @FrailWords @alexander-akait @michael-ciniawsky